Social engineering was responsible for a major security breach at a U.S. government agency, it was reported at this year's RSA conference.

What is social engineering?

Social engineering is the psychological manipulation of people into performing actions or divulging confidential information that they wouldn't knowingly agree to.

What happened?

During a 90-day penetration test two hackers set up an imaginary alias, masquerading on Linked-In and Facebook as a woman, named "Emily". They, or rather Emily, built a network of friends and colleagues, within and around the government agency in question, (which amounted to hundreds of connections) to bring credibility to their social media deception. Over the course of the test Emily managed to gain: administrative rights, network access credentials, a company laptop and even highly sensitive documents from the unnamed U.S. government agency; that itself specialises in offensive cyber security and protecting secrets.

How did Emily succeed?

Once Emily's background was in place she built sufficient trust and legitimacy to be able to manipulate a number of her new connections. She contacted the target agency's employees, focussing on those who worked in HR, IT Support and even some executives. Through a clever but simple social engineering strategy Emily managed to get a job offer. Then her 'colleagues' (perhaps eager to impress) helped in providing Emily with confidential information, including: a company laptop and Salesforce logins.

Even more worryingly, Emily sent out an apparently harmless seasonal greetings e-card via Facebook. Once this was clicked on by Emily's unassuming connections, the card gave the hackers remote access to their devices and data, including sensitive documents and information. This could have had devastating results for the agency in question.

How do you protect against social engineering?

The efficacy of social engineering (and therefore its very real risks) is highlighted by the fact that the hackers who ran this test have run similar tests with major banks, credit card companies and healthcare organisations. Their social engineering tests have a 100% success rate.

That said, there are a number of methods companies can put in place to reduce the likelihood of a social engineering attack. These include: raising awareness of the risks of social engineering; having a clear policy on social media; educating staff to ensure they stick to the policy; ensuring staff understand the severity of the risks involved with a breach; and testing the physical security of your company to see if the processes you have in place actually work.